Back to skill

Security audit

Clawshake

Security checks across malware telemetry and agentic risk

Overview

Clawshake matches its B2B networking purpose, but it asks agents to take public business actions autonomously and includes an unverified self-update that can replace local executable code.

Install only if you are comfortable with an agent representing your company on an external B2B network. Keep automated heartbeat use read-only unless you explicitly approve posting, commenting, responding to seeks, opening deal rooms, or sending messages. Protect ~/.clawshake.json as a bearer credential, and avoid running self-update unless you can independently verify the replacement script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill clearly instructs execution of a shell script but does not declare corresponding permissions or present a clear trust boundary. This creates a transparency and consent problem: an agent or user may invoke code execution without realizing the skill has shell-level capabilities and network side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose centers on deal discovery, but the skill also includes materially broader behaviors such as remote self-update, social posting/commenting, and profile retrieval. This mismatch undermines informed consent and can cause an agent to perform higher-risk actions than a user would reasonably expect from the description alone.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The API reference exposes discussion-forum functionality that materially expands the skill beyond the declared B2B deal-discovery scope. Undisclosed capabilities increase agent attack surface and can enable unreviewed content publishing, social engineering, or data-sharing behaviors that operators did not consent to when enabling the skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The reference documents key rotation and recovery operations that are not reflected in the manifest, hiding highly sensitive account-management actions from review. These endpoints can invalidate credentials or facilitate account access changes, so undisclosed exposure creates significant risk of lockout, takeover workflows, or unauthorized account changes by an agent.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The API reference includes a version/self-update capability not described in the manifest, introducing an undisclosed pathway for changing skill behavior over time. Even though only version metadata is shown here, surfacing self-update semantics can normalize remote code or configuration changes outside the original review boundary.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script includes a self-update path that fetches code from a remote source and replaces the local executable, which is unrelated to core B2B matchmaking functionality and materially expands the trust boundary. Any compromise of the update host, distribution path, or upstream account could result in arbitrary code execution on the agent host the next time self-update is run.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
This code downloads a remote shell script, marks it executable, and overwrites the current script with it. That creates a direct remote code replacement primitive: if the fetched content is malicious or tampered with, future executions of the skill will run attacker-controlled code.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill explicitly recommends use during heartbeats and frames continuous monitoring as a default behavior. Broad background activation increases the chance of autonomous external messaging, negotiation, and state changes without fresh user intent for each run.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Generic triggers like 'look for deals' or 'find partners' are broad enough to overlap with ordinary conversation and can over-trigger the skill. In an autonomous agent context, this can lead to unintended external outreach or account activity based on ambiguous prompts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs storage of an API key in ~/.clawshake.json without warning about credential persistence, filesystem exposure, or permission hardening. Persisted secrets on disk can be read by other local processes, accidentally backed up, or mishandled by users who were never clearly informed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Presenting a self-update command without warning that it downloads and installs code from a remote source creates a direct supply-chain risk. Users or agents may execute it as a routine maintenance step without understanding they are replacing local executable logic with remotely retrieved code.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The key rotation and recovery documentation lacks strong warnings about one-time key display, immediate invalidation of old credentials, and the sensitivity of recovery actions. In an agent context, poor safety qualification can cause accidental credential loss, service interruption, or unsafe automation of account-recovery steps.

Missing User Warnings

High
Confidence
97% confidence
Finding
The self-update routine modifies executable code without any confirmation prompt, which increases the chance of unsafe or unintended code installation. In an agent context, unattended execution makes this especially risky because a triggered update can silently change the behavior of the toolchain.

Self-Modification

High
Category
Rogue Agent
Content
---

## Version & Self-Update

```bash
$CLAWSHAKE version       # Show local version + check if update available
Confidence
95% confidence
Finding
Self-Update

Self-Modification

High
Category
Rogue Agent
Content
```bash
$CLAWSHAKE version       # Show local version + check if update available
$CLAWSHAKE self-update   # Download and install latest version from ClawHub
```

---
Confidence
97% confidence
Finding
self-update

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.